Spammers often use a variety of obfuscation methods in an attempt to bypass anti-spam filters. We did some follow up analysis on a recent dating spam attack in which the spammers made use of URLs in the message body with spaces inserted in between characters in the URL. Although this obfuscation technique has been much used in the past, it has not been as prevalent in recent times. This particular spam attack was active during the last week of January and lasted until the first week of February, 2011. Approximately 12,000 spam messages were observed in this attack.
The subject and message body in this spam attack were randomized in addition to the URL obfuscation.
Sample subject line variations observed in this attack are:
Subject: Svetlana Martyushova appeared in the chat
Subject: Tatyana Zhivkova - waiting on you
Subject: Kazak Avrora thinks about you
Subject: Alina Lebedkova wants to see you
Subject: Dobrolyubova Liudmila appeared online
Subject: Nataliya Kostyuka wants you to come
Subject: Alesja Durchenko appeared in a video chat
Sample URLs observed in this attack are:
hxxp://fin pr ep online.com
hxxp://backfin group. com
hxxp://back fing roup.com
hxxp://fi nprep online.c om
The domains used in some of the URLs were registered in United States to the same person, and on the same day in August last year. As seen in several URLs in this attack, the spammers also made use of blogspot.com to re-direct the Web pages.
The email implies you are a registered user at a dating website and includes a link (broken) that claims to be either an application form or a questionnaire a Russian girl. However, most of the links ultimately redirected to roma.animoney.net - a Russian dating Web site, associated with Anastasia’s Affiliate Program. Moreover, as expected, redirection to the Russian dating site occurs only if the unbroken link is opened in a Web browser by removing the spaces inserted in between characters. Through such spam emails, spammers attempt to instill a sense of curiosity amongst users who might be interested in interacting and/or meeting these Russian girls, from whom the email appears to come from. All above links are now inactive.
We found that these messages were originating from diverse geographical locations, suggesting that this is most likely a botnet attack. Further examination of specific IPs confirmed that they are indeed infected machines, and are part of multiple botnets. Although some IPs involved in the spam attack were identified as part of the Cutwail botnet, there were also traces of infection from the Lethic botnet in other IPs in the attack.
Thanks to Paresh Joshi for the spam samples contributed to this blog.